Roel Schouwenberg, a security researcher at Kaspersky Labs, on Thursday afternoon warned security professionals attending RSA 2012, one of the industry’s foremost gatherings, that design flaws in Chrome OS and iCloud may make them unsuitable for business use.

Schouwenberg praised Google for developing a rock-solid platform from a security point of view, but warned that users were still exposed to attack through the apps running in their browsers.

“Everyone has heard about the huge increase in Android malware, a lot can be found in the Android marketplace,” Schouwenberg said. “The same problems exist in the Chrome marketplace.”

Schouwenberg said malicious Chrome apps are less prevalent than malicious mobile apps but noted that it is also difficult to detect malware on Chromebooks, slimmed down computers that run only the Chrome OS and browser, because they aren’t protected by anti-malware programs.

As an example, he cited a Chrome app that Kaspersky Labs identified that tried to steal a person’s Facebook credentials.

Google issued a statement in response to Schouwenberg’s claims: “We’re thankful to Mr. Schouwenberg for recognizing the strong security design we have built into Chrome and Chrome OS from the start, but he missed on a few important points.

“Mr. Schouwenberg’s comments mischaracterize the state of both the Android Market and Chrome Web Store. We announced recently that we saw a 40 percent drop in the amount of potentially malicious downloads in Android Market between the first and second halves of 2011, and the situation for the Chrome Web Store is even better.

“From day one, we’ve designed Chrome’s extension system with security in mind. Since we launched the extension system, the state of the art in Web security has advanced with technologies like Content-Security-Policy (CSP). Extension developers have been able to opt into these features for some time, and just yesterday we announced we’re starting to enable these security features by default.

“It’s not accurate to say that you can’t run malware protection on Chrome. For one, Chrome has built-in malware protection through our safe browsing service. In the case of developers, we believe that our extension APIs provide the tools needed for an anti-virus vendor, like Kaspersky, to create an extension-based solution of their specification. The extension would also work on multiple platforms and could integrate nicely with their native-code anti-virus solutions on platforms that—unlike Chrome—do allow untrusted native code to execute.”

Schouwenberg also described several risks associated with Apple’s iOS operating system and iCloud online storage offering. According to Schouwenberg, the primary threat was data leakage. Among other problems, Schowenberg noted that Apple is not using typical SMS protocols but is instead handling SMS as data. “This makes it possible for me to take the SIM card from my iPhone and put it in another phone,” he explained. Even after taking back his card, he said, the other phone could still receive his SMS messages.

Apple did not respond to multiple requests for comment.

Schouwenberg said that Apple also shared notes he had created on an Apple device even after he turned note sharing off. Specifically, he said, the notes showed up in email. “That is not good,” he said. “That should be a huge no no.”

A third risk of using Apple’s iOS is that it will sometimes supercede user settings and connect to certain available wifi access points, Schouwenberg said. “The device could be leaking data if it is connected to an unsecured wifi access point that could be sniffed,” he said. “This may be convenient but it is not secure.”

Schouwenberg noted that these problems will likely be quickly addressed, but he said that trust issues persist. He noted that the security community has known for years about malware that can be used to make unauthorized purchases from iTunes accounts. While Apple asks customers to report any unauthorized purchases, it has never officially acknowledged the problem of online criminals targeting its users, he said. “Over all these years, Apple has known about this and said nothing,” Schowenberg said.